infrastruktura energetyczna oczami soc/siem ... - ptpiree
TRANSCRIPT
Infrastruktura energetyczna oczami SOC/SIEM Nowej Generacji
Janusz SawickiSecurity Sales Account ExecutiveMicro Focus(M)+48 609 82 12 14 [email protected]
Source : https://www.youtube.com/watch?v=c3kP-jjgx1E
The fourth industrial revolution
Source: F-Secure - IoT-Threat-Landscape.pdf
IN THE BEGINNING
In 2002, the first malware that could infect IoT devices was discovered
Tsunami AKA Kaiten • Spread manually • Generally targeted Linux machines including IoT devices like routers and machines running BusyBox
Industry 4.0 security incidents
SECURITY INCIDENT DATE
Disruption of multipleDaimlerChrysler’s carmanufacturing plants by aZotob worm
August 16, 2005
Stuxnet worm attack onNatanz nuclearenrichment lab in Iran
2010
Cyberattacks on SmartMeters
2010
Cyberattack on a SCADAsystem of an AmericanWater and Utility company causingdestruction of one of the pumps
November 8, 2011
Shamoon virus - Cyberattack on Saudi Arabian Oil Company(Saudi Aramco)
August 15, 2012
SECURITY INCIDENT DATE
Havex / Dragonfly – aRemote Access Trojan targeted on SCADA, PLC and DCS systems
2014
German steel mill attack 2014
Cyberattack on Kemuri Water Company’s water treatment plant
2015
Cyberattack on a powergrid in Ukraine
December 23, 2015
Mirai – IoT botnets attack October 21, 2016
Industroyer – second cyberattack on Ukrainian power grid
December 17, 2016
WannaCry ransomwareworldwide cyberattack
May 2017
Industry 4.0 security incidents
SECURITY INCIDENT DATE
NotPetya - ransomwarecreated to cause damage
June 2017
Triton malware attack onSafety InstrumentedSystem (SIS)
November 2017
………..
Industry 4.0 security incidents
CyberScape
Source : https://collaborate.mitre.org/attackics/index.php/Technique_Matrix
Visual representation of some state-of-the-art networking technologies for IoT
Source : Internet of Things Security Landscape - Cyber Security Agency of Singapore Ministry of Economic Affairs and Climate Policy of the Netherlands
Why the Current SOC Can’t Keep Up
FragmentedSecurity
Scalability
Data Volume
Advanced Attacks
The War for Talent
What a Next-Gen SOC Needs
FragmentedSecurity
Scalability
Data Volume
Advanced Attacks
The War for Talent
RichAnalytics
LayeredAnalytics
Scalable Architecture
IntelligentAutomation
CompleteEcosystem
How to Connect mass of IoT data with SOC/SIEM
12
SIEM
Hadoop
UEBA
Advanced Analytics
Hunt
Visualization
OT
IOT
Physical
ITSIEM
Hadoop
UBA
Advanced Analytics
Hunt
Visualization
OT
IOT
Physical
IT
Transformation Hub
IncludedApache Kafka
Traditional N : 1 Architecture Open N : M Architecture
Arcsight Transformation Hub
IoT to SIEM - Kafka Connect for MQTT, MQTT Proxy, Build Your Own Custom BridgeMQTT Broker Extension, IoT to SIEM - Kafka Connect for CoAPArcsigh SmartConnectors, Arcsight Flex Connectors
What Connectors do:
Encrypted + Compressed + Split Feeds + Rate Limiting + Batching + Scheduling
Data receptionReceive logs from any data source
NormalizationHuman language readable, apply rules/monitors across different logs sources
CategorizationSame rules/searched apply after new device vendors are introduced
EnrichmentSaves time in repetitive context building manually
Common Format
IT
OT
Custom
IoT
Physical
Source IP
Time Stamp
Bytes Out
Device Class
Request URL
Significance
Behavior
Object
Outcome
Device Group
Geo Location
Host Name
Network Model
Delivery Layer
Cloud
More : https://www.microfocus.com/documentation/arcsight/
Collect
• Connect to all your data
Explore
• Efficient threat hunting and investigation
Analyze
• Detect known and unknown threats in real-time
Store
• Compliance
• Basis for scaled out analytics
Prepare
• Normalize, Enrich
• Initial analysis
Act
• Automaticremediation when threat has been found
Security Open Data Platform
ArcSight Logger
ArcSight Recon
SOAR IntegrationsMicro Focus ArcSight 2020
ArcSight ESM
ArcSight Interset
Most real-world threat scenarios require a mix of both approaches.
Layered Threat Detection
Real-time Correlation Unsupervised Machine Learning
Detect Known Threats
Correlate all data to find threats.
Detect Unknown Threats
No rules or thresholds.
Security Open Data Platform
▪ Collect from anywhere
▪ Use it everywhere
▪ Clean, enriched data enables greater insights
▪ Structured data is more cost-effective
ArcSight Recon
▪ Unifies storage, reporting, investigation and analysis of elusive unknown threats
▪ Cost-effective long term data storage
▪ Non-stop security compliance
▪ Ingest and search through billions of events in seconds
▪ Built-in analytics and guidance
▪ Industry-leading correlation engine with customizable rules
▪ Scalable (up to 100k EPS)
▪ Triage, ticketing and automated response
▪ Many partners and integrations
▪ Flexible architecture and configuration
▪ Includes ArcSight Fusion: the new dashboard UI for ArcSight SecOps
ArcSight ESM
Extensive Coverage of MITRE ATT&CK
▪ Behavior-based anomaly detection to better detect insider threats
▪ See potential threats in context
▪ Cut through the noise to investigate priority threats
▪ Visualize and respond quickly
▪ Scale as you grow with Interset’s native big data architecture
ArcSight Interset
Security Orchestration, Automation and Response
▪ Automated Response
▪ ArcSight APIs
▪ SOAR acquisition
▪ Digital Workflow and SOAR partners
Building Playbooks with ArcSight SOAR
Analyst Tasks
Analyst Task
Playbook
Task Lists
NPC Ukrenergo Powers Security with ArcSight
Enabled cross-team collaboration
230,000+consumers
RESULTS
▪ IndustryEnergy and Utilities
▪ LocationUkraine
▪ ChallengeProtect critical infrastructure from cyberattacks, create visibility into threat data, and encourage cross-team collaboration
▪ Solutions DeployedArcSight ESM and Logger were deployed to lay the foundation for a multi-tier SOC. ArcSight Flex Connectors collect event sources for categorization, aggregation and enrichment.
Improved alerting and incident
response
Monitor security across:
More Visibility, Less Risk with ArcSight
30%Security alarm
reduction
98%Risk mitigation
rate
99%Device
visibility
+ reduced meter fraud
▪ IndustryEnergy and Utilities
▪ LocationDubai, United Arab Emirates
▪ ChallengeConsolidate IT with OT so that data can be shared between systems to improve threat intelligence and device monitoring
▪ SolutionDeployed ArcSight ESM, SODP, and Investigate to build a sophisticated security ecosystem that could interface with their existing Hadoop, Spark, and Elastic solutions
Source : https://www.youtube.com/watch?v=qd9eQX7gL5s&feature=youtu.be
Dubai Electricity and Water Authority
Thank you Q/A